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Abstract 

This paper presents the correctness proof of Saturation, an algorithm for generating state spaces 
of concurrent systems, implemented in the SMART tool. Unlike the Breadth First Search exploration 
algorithm, which is easy to understand and formalise. Saturation is a complex algorithm, employing 
a mutually-recursive pair of procedures that compute a series of non-trivial, nested local fixed points, 
corresponding to a chaotic fixed point strategy. A pencil-and-paper proof of Saturation exists, but a 
machine checked proof had never been attempted. The key element of the proof is the characterisa- 
tion theorem of saturated nodes in decision diagrams, stating that a saturated node represents a set 
of states encoding a local fixed-point with respect to firing all events affecting only the node's level 
and levels below. For our purpose, we have employed the Prototype Verification System (PVS) for 
formalising the Saturation algorithm, its data structures, and for conducting the proofs. 


1 Introduction 

Software systems have become a key part of our lives, controlling or influencing many of the activities 
that we undertake every day. Software correctness is particularly important for safety-critical systems 
where people's lives can be at risk. Such systems have to be rigorously checked for correctness before 
they can be deployed. Several formal techniques and tools for reinforcing the dependability of critical 
systems exist. Temporal logic model checking is a technique to verify systems algorithmically, using 
a decision procedure that checks if a (usually finite) abstract model of the system, expressed as a 
state-transition system, satisfies a formal specification written as a temporal logic formula [7, 13]. 
Additionally, theorem proving is a technique to establish mathematical theorems and theories with 
the aid of a computer program, i.e., a theorem prover. Theorem pro vers usually require the interaction 
with an experienced user to find a proof. While model checking has been successfully used to find 
errors, it is seldom used to seek the absolute correctness of a system or application. On the other 
hand, provers and proof checkers are oftentimes the most reliable means available for establishing a 
higher level of correctness. 

For both approaches however, from the point of view of validation, and even certification, there is 
the outstanding issue of trustworthiness: if a formal analysis tool is employed, how does one establish 
the semantic validity of the analysis tool itself - in other words, who is checking the checker? While 
the formal methods community has been functioning on the premise of accumulated trust - some 
theorem provers and model checkers accumulate a track record of being trustworthy - the issue of 
certifying verification tools is of undeniable concern, the more so as experience shows that automated 
verification tools are far from being free of bugs [14]. 

Regulatory authorities (FAA, CAA, or DOD) require software development standards, such as 
MIL-STD-2167 for military systems and RTCA DO-178B for civil aircraft. While certified tools for 
generating code exist, they have been mostly confined to a very narrow segment, such as synchronous 
languages for embedded systems and are usually of proprietary nature. 

In this paper we attempt to establish the correctness of a general purpose model checking al- 
gorithm, with the help of a theorem prover. More precisely, we present the PVS proof of correct- 
ness for Saturation [5], a non-trivial algorithm for model checking concurrent systems, implemented 
within the SMART [6] formal analysis tool. We have employed the Prototype Verification System 
(PVS) [12] for formalising the Saturation algorithm, the Multi-valued Decision Diagrams (MDDs) 
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[15] data structure, and for conducting the proofs. Unlike the Breadth First Search exploration al- 
gorithm which is easy to understand and formalise. Saturation is a high-performance algorithm, em- 
ploying a mutually-preemptive, doubly-recursive pair of procedures that compute a series of nested 
local fixed points, corresponding to a chaotic global fixed point strategy. The key result of the proof 
is the characterisation theorem of saturated nodes in decision diagrams, stating that a saturated node 
represents a set of states encoding a local fixed-point with respect to firing all events affecting only 
the node’s level and levels below. Saturation requires a Kronecker consistent partition of the system 
model in sub-models. The PVS proofs presented here take advantage of the Kronecker consistency 
property to express how the state-spaces generated by local next-state functions relate to the global 
state-space. In this regard. Saturation’s correctness proof outlines an approach that may be re-used in 
the correctness proofs of an entire class of algorithms that rely on structural properties. Additionally, 
the PVS formalisation makes the invariant relating Saturation and the firing routine explicit. This is 
an important requirement for the SMART code. Its implementation, and the implementation of the 
structures it uses for storing state-spaces, must satisfy this invariant. 


2 Preliminaries 

Saturation employs Multi-valued Decision Diagrams (MDDs) [15], an extension of the classical 
Binary Decision Diagrams (BDDs), to symbolically encode and manipulate sets of states for con- 
structing the state-space of structured asynchronous systems. MDDs encode characteristic functions 
for sets of the form Sk x ••• x Si for systems comprising K subsystems, each with its local state 
space Sk, for K >k> 1. The particular MDD variant used in Saturation (quasi-reduced, ordered) is 
formally given in Definition 1 . 

Definition 1 (MDDs). MDDs are directed acyclic edge-labelled multi-graphs with the following 
properties: 

1. Nodes are organised into K + 1 levels from 0 to K. The expression ( k\p } denotes a generic 
node, where k is the node ’s level and p is a unique index for a node at that level, 

2. Level 0 consists of two terminal nodes (0|0) and (0| l), which we often denote 0 and 1. 

3. Level K contains only a single non-terminal node ( K , rj, the root, whereas levels K— 1 through 
1 contain one or more non-terminal nodes. 

4. A non-terminal node ( k\p ) has |S£| arcs pointing to nodes at level k— 1. An arc from the 
position ik 6 Sk to the node ((k — 1)|<?) is denoted by \k\p)[ik] = q. 

5. No two nodes are duplicate, i.e., there are no nodes ( k\p ) and ( k\q ) such that pfq and for all 
iu e S k , (k\p)[h) = {k\q)[i k \. 

In contrast to [15], not fully- but quasi-reduced ordered MDDs are considered in Saturation, 
hence redundant nodes, i.e,, nodes ( k\p } such that (k\p)[ik] = (k\p) [jk] for all ikfjk, are valid 
according to definitions used in Saturation. This relaxed requirement can potentially lead to a much 
larger number of nodes, but in practice this rarely occurs. On the other hand, the quasi-reduced form 
has the property that all the children of a node are at the same level, which can be exploited in the 
algorithm. Equally important, the quasi-reduced form is still canonical, as the fully-reduced form is. 
A sequence a of local states (4, . . . , i i ) is referred to as a sub-state. Given a node ( k\p ), the node 
reached from it through a sequence a of local states t ) is defined as: 

[ ( k\p ) if <7 = (), the empty sequence 

(k\p)\o] = < 

\ <( k-l)\(k\p)[i k ])[<J '] if <J = (i k ,(j'), with^eS*. 

A sub-state <7 constitutes a path starting at node ( k\p ), if (k\p}[cy] = (0|1). 3S(k,p) is the set of 
states encoded by ( k\p ), i.e., those states constituting paths starting at node ( k\p ). 

{%(k,p) = {cr 6 5/.. x • • • x : [k\p)[a] = (0| 1) } 
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2.1 Kronecker Consistency 

Saturation requires a Kronecker consistent partition of the system model into K sub-models. A next- 
state function ,/L of a Kronecker structured asynchronous system model is defined on the potential 
state-space S : Sk x • • • x Si decomposed by event, i.e., MY = \J e ^gMY e . An event e has a Kronecker 
representation for a given model partition if JY e can be written as the cross-product of K local next- 
state functions, i.e., ^Y e = JY e K x • • • x Jlf}, where jY k : Sk — > 2^*1, for K > k > 1. Since Sk are 
all assumed to be finite in Saturation, S : Sk x ■■■ x S\ can be regarded as a structure of the form 
S : {1. ■ ■ ■ ,nx} x ■ ■ ■ x {1,- • • ,«i}, where n* = |Sjt|. A partition of a system model into sub-models is 
Kronecker consistent if every event e has a Kronecker representation for that partition. The definition 
of jY e can be extended to a set of sub-states X, j V e (X ) = U x ex^e( x )’ and to a set of events §, 
jYg() f) = \f e ^.gYY e {X). An event depends on a particular level if the event affects the (local) state- 
space generated for that partition at that level. Let Top(e) and Bottom(e) be the highest and lowest 
levels an event e depends, two cases in the definition of jVg result when £ = {e: Top(e) < k } and 
£ k = {e : Top(e) = k). We write as a shorthand for Ae : Top(e) < k} > and ^=k as a shorthand for 
^Ygk. The reachable state-space S C S from an initial system state X is the smallest set containing 
X and being closed with respect to jY , i.e., S = XU <sY(X) U yY(yY(X)) • • • = j Y*(X ), where * 
denotes the reflexive and transitive closure. 

2.2 Saturation 

Saturation relies on a routine Fire(e, k, p), for exhaustively firing all the events e such that Top(e) = k, 
and recursively calling Saturation of any descendant (k\p)[ik] of (k\p). Fire, like Saturation, checks 
whether e is enabled in a node (k\p) and then reveals and adds globally reachable states to the MDD 
representation of the state-space under construction. However, unlike Saturation, Fire operates on 
a fresh node instead of modifying (k\p) in place, since (k\p) is already saturated. In Saturation, 
MDDs are modified locally and only between the levels on which the fired event depends on. The 
enabling and the outcome of firing an event e only depend on the states of sub-models Top(e) through 
Bottom(e). Definition 2 formalises the idea of a saturated node. Saturation and the routine for firing 
events are mutually recursive, related through the following invariant conditions: Saturate is called 
on a node (k\p) whose children are already saturated. Fire is always invoked on a saturated node 
(l\q) with 1 < Top(e) and Saturate is invoked just before returning from Fire. 

Definition 2 (Saturated Node). An MDD node ( k\p ) is saturated if it encodes a set of states that is a 
fixed-point with respect to the firing of any event affecting only the node’s level or lower levels, that 
is, if 38(k,p) = jq k (@{k,p)). 

2.3 Saturation’s Correctness 

For ease of reference, Figure 1 shows the pseudo-code for the Saturation and event firing algorithms. 
We reproduce here the original pencil-and-paper correctness proof of the theorem relating both algo- 
rithms, for ease of reference, then proceed with the formal PVS proof. 

Correctness. Let ( k\p ) be a node with K > k > 1 and saturated children, and (l]q) be one of 
its children with q / 0 and l = k— 1 ; let fit stand for 38{l,q) before the call Fire(e,l,q), for some 
event e with l < Top(e), and let F represent 38(1, f), where / is the value returned by this call; Then, 

Proof. By induction on k. For the induction base, k = 1, the only possible call Fire(e,l, 1) returns 1 
because of the test on /, which has value 0, in Line 1 in Figure 1. Then, ‘fA = V = {()} and {()} = 

For the induction step we assume that the call to Fire(e, l— 1, •) works correctly. Recall that / = k— 1. 
Fire does not add further local states to J£, since it modifies "in-place” the new node (l\s), and not 
node (l\q) describing the states from where the firing is explored. The call Fire(e,l,q) can be resolved 
in three ways. If 1 < Bottom(e ), then the returned value is f = q and (fX ) = ^ for any set ; 
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since q is saturated, 33(1, q) = ^^(33(1^)) = ^K?[(^V e (33(l,q))). If Z > Bottom(e) but Fire has been 
called previously with the same parameters, then the call Find(FCache[l\,{q,e},s) is successful. 
Since node q is saturated, it has not been modified further; Finally, we need to consider the case where 
the call Fire(e,l,q) performs “real work.” First, a new node (l\s) is created, having all its arcs ini- 
tialised to 0. We explore the firing of e in each state i satisfying (l\q) [Z] ^ 0 and ^Fj e ( i ) ^ 0. By induc- 
tion hypothesis, the recursive call Fire(e,l— 1, (l\q) [;]) returns 1, (Z|g) [/]))). Hence, 

when the "while 33 ^ 0” loop terminates, 38(1, s) = [J ; ^,JFj(i)x ^(^(38(1-1, (l\q)[i\))) = 
j (j V e (33(l , q))) holds. Thus, all children of node (l\s) are saturated. According to the induction 
hypothesis, the call Saturate^, s) correctly saturates (l\s). 

Therefore, we have 33(1, s) = ^IQ l (^K?i_ l (^F e (33(l,q))) = yK?i(^F e (33(l,q))) after the call. □ 


3 The PVS Formalisation 

We used the Prototype Verification System (PVS) [12] for formalising Saturate, the MDD data struc- 
ture it uses to store state-spaces, and for conducting the correctness proofs. Our formalisation is 
purely functional, e.g., we do not formalise memory and memory operations. The main goal of 
our PVS formalisation is to machine-check the pencil-and-paper correctness proof of Saturate, in- 
troduced in Section 2.3 and Figure 1. Modelling memory is necessary when one is interested in 
generating actual code from the formalisation. We are planning to port our PVS formalisation to 
AtelierB [2] and use refinement calculus techniques to generate Saturation actual code from the B 
model. Yet, this is future work. 

We started formalising the basic concepts employed by the definition of Kronecker consistency 
such as events, states, local state values, next-state functions, local next-state functions. Then, we 
formalised the Saturation algorithm and the routine for firing events, and conducted their correctness 
proof in PVS following the pencil-and-paper proof. In the following, we present the definition of 
some of those basic concepts in PVS. Predicate local_value?(m) below formalises local state 
values at level m, where nk is the function = |5j.|. The reader should remember that Saturate 
generates state spaces of values on a level basis. This is a direct consequence of the definition 
of Kronecker consistency. local_value(m) is the type of all elements satisfying the predicate 
local_value?(m), and the type state (k) formalises sub-states of size k as sequences s whose 
elements s'sq(m) at any position m < k are restricted by nk. We further define s_t(k,s,m) (not 
shown here) to be a sub-state of s of size m < k, where k is the size of s. 

local_value? (m) (n) : bool = (m=0 A n=0) V (m > 0 A n > 0 A n < nk(m) ) 
local_value(m) : type = (local_value? (m) ) 

state(k): type = { s:Seq(k) I V(m : upto (k) ) : (m=0 A s'sq(m)=0) V 

(m > 0 A s'sq(m) > 0 A s'sq(m) < nk(m) ) } 

We use PVS datatypes to model MDDs, formed using type constructors, and define predicates 
ordered? and reduced? (not shown here), modelling ordered and reduced MDDs. Predicate 
reduced? subsumes ordered?. The type QMDD below formalises Definition 1. We further define 
function level, which returns the height of an MDD node, child (p,i), which returns the i-th 
child of an MDD p, and predicate trivial? that holds of an MDD if it is 0 or 1 . 

OMDD: type = (reduced?) 

Events are formalised as the type event below with two functions Top and Bottom returning the 
highest and lowest level an event depends upon. The symbol + in the type definition indicates that 
the type event is non-empty. TopLesser(k) models the set $ = {e: Top(e) < k}. 

event : type+ 

Top: [event -> posnat] 

Bottom: [event -> posnat] 

TopLesser (k) : setof [event] = {e: event I Top(e) < k} 
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Saturate^ in k'.level, p'.index) 

Update {k\p) in-place, to encode 

jq k (38((k\p))). 

declare e'.event', 
declare 2 z? :set of local ; 
declare f,u\index\ 
declare i,j:local\ 
declare pChanged'.bool', 

1. repeat 

2. pChanged <— false', 

3. foreach e e S k do 

4. Jz? <— Locals(e,k, p)\ 

5. while 2z?^0 do 

6. i *— Pick{JZ J )\ 

7. /*-F/re(e,A:-l,(k|p) [?']); 

8. if /^o then 

9. foreach j e ^V e k (i) do 

10. u*—Union(k 

i ,/, (*|p}L/1); 

11. if u^(k\p)[j] then 

12. (k\p)[j]*-w, 

13. pChanged*— true] 

14. if ^K k U) ^ 0 then 

15. 

1 6. until pChanged = false] 

Union( in k'.level, p'.index, q'.index) '.index 
Build an MDD rooted at (&|s) encoding 
^((k|p))u^((%)). Return 5 . 

declare i'.local', 
declare s,u\index\ 

1 . if p = 1 or q = 1 then return 1; 

2 . if p = 0 or p = <7 then return g; 

3. if q = 0 then return /?; 

4. if Find(UCaclie[k\,{p,q},s) then 
return s', 

5 . j <— NewNode (k ) ; 

6. for i = 0 to «*-l do 

7. « <— Unionfk— 1, 

8. (fc|\) [i] <— «; 

9. Check(k,s) - , 

1 0. /wierf(CCac/!e[k], {p,^r},i); 

11. return s; 


Fire( in e'.event, I'.level, q\index)\index 
Build an MDD rooted at (l\s) encoding 
JQ t {J< e (B§((l\q)))). Return 5. 

declare Jzf :set of local ; 
declare f ,u,s'.index\ 
declare i,j\local\ 
declare sChanged'.bool - , 

1 . if / < Bottom(e ) then return q\ 

2 . if FmJ(FCflc/!e[/], {g,e},s) then 

3. return 5 ; 

4. s *— NewNode{l)\ 

5. sChanged *— false', 

6. ££ 4— Locals(e,l,q)', 

7. while Jf ^ 0 do 

8. i <— Pick(^F)', 

9. /<— f»e(e, /— l,(/|g) [i]); 

10 . if /^0 then 

1 1 . foreach j e J/, r J(i ) do 

12. « <— Union(l— 1,/, (/|s) [/']); 

13. if «^(/|j)L/] then 
14 - 

15. sChanged *— true] 

1 6 . if sChanged then 

17. Saturate^ ,s)\ 

18. Check(l,s)', 

19. Insert(FCache[l\,{q,e},s)', 

20 . return s', 

Locals( in e'.event, k'.level, p'.index)'. 

set Of local 

Return {iey k :{k\p)[(\f=0, ^F e k {i) 7 ^ 0 }, 

the local states in p locally enabling e. 
Return 0 or {i e ■ r /' k : Jf k (i) # 0}, re- 
spectively, if p is 0 or 1 . 

Check( in k'.level, inout p'.index ) 

If {k\p) is the duplicate of an exist- 
ing (k\q) delete (k\p) and set p to q. 
Else, insert (k\p) in the unique table. 
If <fc|p)[0] = ■" = {k\p)[n k — \] = 0 or 1, 
delete {k\p) and set p to 0 or 1 , since 
3§{{k\p)) isOor^x-'-x^ 1 2 3 4 5 6 7 8 9 * 11 , respec- 
tively. 


Figure 1 : Pseudo-code for the node-saturation and event firing algorithms. 
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The type next (k) describes jV e for some event e. Local next-state functions at level k are 
introduced by the type Localnext(k). A finite sequence of local next-state functions fs makes a 
next-state function N Kronecker consistent, Kronecker? (k) (N) (fs), if for each event e, and sub- 
states x and y of size k, every y’s local state y'sq(m) with m < k is an image of x's local state 
x'sq(m) through the local next-state function f s'sq(m) (e) (modelling 

next(k): type = [ event -> [state (k) -> setof [state (k) ] ] ] 

Localnext (k) : type = [ event -> [local_value (k) -> setof [local_value (k) ] ] ] 

Kronecker? (k) (N) (f s) : bool = 

V(e: event, x,y : state (k) ) : 

N(e)(x)(y) <t=t> V(m:upto(k)) : f s'sq(m) (e) (x'sq(m) ) (y'sq(m) ) 

NextLesser (k) (N,fs) (x) formalises applied over a sub-state x consisting of k levels. 
The formalisation assumes that fs is a sequence of local next-state functions that make N Kro- 
necker consistency. That is, jV e has a Kronecker representation for all event e such that Top(e) < k. 
We further define NextLesser (k,m) (N,fs) similar to NextLesser (m) (N,fs) (not shown here) 
for levels less than or equal to m, and equals to the identity function from m+1 to k. Definition of 
NextLesser (m) (N,fs) is extended to a set X of sub-states in the natural way. 

NextLesser (k) (N, fs) (x) : setof [state (k)] = 

{ y: state (k) I 3 (e : (TopLesser (k) ) ) : 

V(m: upto (k) ) : f s'sq(m) (e) (x'sq(m) ) (y'sq(m) ) } 

</K? k (X) is formalised as Apply (k) (N,fs) (w) (X) below, where w represents the number of 
iterations after which applying on X does not generate any new state. That is, X is a fixed- 
point of jV<k- The existence of such w is guaranteed by our formalisation since A is a finite 
set, and every ^Y e in with Top(e) < k is an increasing function. A similar definition for 
Apply(k,m) (N,fs) (w) (X) exists (not shown here) that uses NextLesser (k,m) (N,fs) (X) in- 
stead of NextLesser (k) (N,f s) (X). As a consequence of the definition of and because we are 
considering Kronecker consistency next-state functions, we have that 1(^0) = 

(Corollary Apply_corl). 

Apply(k) (N,fs) (w) (X) : recursive setof [state (k) ] = 
if w=0 then X elsif w=l then union(X .NextLesser (k) (N , fs) (X) ) 
else union(X, Apply (k) (N, fs) (w-1) (X) ) endif 
measure w 

Apply_corl: corollary 

V(k: {n:upto(K) |n>0}, N:next(k), f s : (kronecker? (k) (N) ) , 
w:posnat, X : setof [state (k) ] , s:state(k)): 

Apply (k) (N,f s) (w) (Apply (k,k-l) (N,fs) (w) (X)) (s) Apply(k) (N,fs) (w) (X) (s) 

Finally, we formalise the routine for firing events and model its usage in Saturation. We employed 
an axiomatic approach rather than writing a definition for the routine. Although axioms might po- 
tentially introduce inconsistencies, the use of definitions may force PVS to generate additional proof 
obligations all over the lemmas and theorems using the definitions, cluttering their proofs. Further- 
more, an axiomatic approach is preferable when one is not interested in generating code for the 
algorithm directly. The firing of an event e on a node (l\q), fire(l, e,N,fs,w,q) is described by 
axioms f ire_trivial, f ire_nontrivial, f ire_recursive, and f ire_ saturated below, with 
1 < K, e : [ev : event I 1 < Top (ev) N :next (1), f s : (Kronecker? (1 ) (N) ) , and q: {u : QMDD I 
level (u)=l A saturated? (1 ,u) (N,f s) (w)>. Therefore, to be able to call f ire(l,e,N,f s,w,q), 
event e should be such that 1 < Top(e), and q should be such that saturated? (l,q) (N, fs) (w), 
in accordance with the “Fire is always invoked on a saturated node ( l\q ) with / < Top(e )” invari- 
ant condition. fire_trivial states that fire(l, e,N,fs,w,q) returns q unaffected when ei- 
ther 1< Bottom (e) or 1 = 0. These two conditions describe the cases when the recursive call to 
fire(l, e,N,fs,w,q) ends, f ire_nontrivial states that if 1>0, then fire(l, e,N,fs,w,q)’s 
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call returns a node whose level is the same as q's level, that is 1. trivial? holds of an MDD if it 
is 0 or 1. f ire_recursive states that the set Below(l, fire(l, e,N,fs,w,q)) of states of size 1 
encoded by a call to f ir e ( 1 , e , N , f s , w , q) is recursively generated on a Kronecker structured level- 
basis. That is, at level 1, the local next-state function ^/Vj (see fs'sq(l) (e) ) generates all the local 
states for every local state value i at level 1, and recursively, fire (1-1 , e .Nj/.f Sn/.w, child (q, i) ) 
generates all the sub-states of size 1-1. The final challenge in our formalisation comes from mod- 
elling the mutual recursion between Saturate and Fire. Mutual recursion is not directly supported 
by PVS. The axiom f ire_saturated formalises the invariant “Saturate is invoked just before re- 
turning from Fire” in which we model Saturated as a property of a node that is fired on a particular 
event. Notice that f ire_saturated cannot directly be expressed as a definition. 

f ire (1 , e ,N , f s ,w,q) : OMDD 

f ire_trivial : axiom 1 < Bottom(e) V 1=0 => fire (1 , e ,N , fs ,w,q)=q 
f ire_nontrivial : axiom 

1 > 0 => -it ri vial? (fire (1 ,e,N,fs,w,q)) A level (fire (l,e,N,fs,w,q))=l 

f ire_recursive : axiom 
Below(l , f ire (1 , e ,N , f s , w, q) ) = 

{ s:state(l) I 3 (i : local_value (1) ) : f s'sq(l) (e) (i) (s'sq(l) ) A 

Below (1-1 , fire (1-1 , e ,N]/, f s^, w, child (q, i) ))(s_t(l,s,l-l)) } 

f ire_saturated : axiom saturated? (1 , fire (1 , e ,N , fs ,w, q) ) (N , fs) (w) 

3.1 Saturation’s Formalisation 

Theorem 1 formalises ^K? k _ l (^F e (£$(k, p))) = Uies^e k (i) x ^<Vi Wm(k- 1 1 (%>[*•]»)), 

which is true in Kronecker systems. 

Theorem 1 (Applying Kronecker Consistent Next-State Functions). This theorem is used in Satura- 
tion ’s correctness proof (Theorem 2). 

kronecker_apply : theorem 

V (k: in :upto (K) ln>0}, p:{u:0MDDl ^trivial? (u) A level (u)=k}, ev:event, 
N:next(k) , f s : (kronecker? (k) (N) ) , w.posnat, w^-.posnat, s:state(k)): 

( 3 (i : local_value(k) ) : 

fs'sq(k) (ev) (i) (s'sq(k)) A 

Apply (k-1) (N k i ,fs k r) (w i ) (Next (k-1, ev) (N k i,fs k i) (Below(k-l , child(p , i)))) 

(s_t (k, s ,k-l) ) ) 

App ly(k, k-1) ( N , fs) (w) (Next (k, ev) (N,fs) (Below(k,p) ) ) (s) 

The proof of Theorem 1 is conducted under the well_def ined assumption below, which states 
that since “the enabling and the outcome of firing an event e only depend on the states of sub-models 
Top(e) through Bottom(e)”, if k < Bottom(e) then applying d<A to (%(k,p) does not generate any 
new state, and the non_decreasing assumption, which states that all considered local next-state 
functions f are non-decreasing. Below(k,p) formalises 0§(k,p), the set of states encoded by (k\p). 

well_def ined: assumption 
V(k:upto(K), p:{u:0MDD I level (u)=k} , e: event, 

N : next (k) , f s : (Kronecker? (k) (N) ) ) : 
k<Bottom(e) =4> Below(k,p) = Next (k, e) (N, f s) (Below(k,p) ) 

non_decreasing : assumption 

V(k:upto(K), e:event, f : Localnext (k) , i : local_value (k) ) : f(e)(i)(i) 
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Theorem 1 is proved by induction on w and wi. The base case, w=l and wi=l, is proved from 
the lemma below_incremental below. This lemma states that a state s of size k>0 belongs to 
Below(k,p) if and only if p is not trivial (p is different to 0 and 1), and s_t (k, s ,k-l) belongs to 
Below(k-l , child (n, s'sq(s'ln) ) ) . 

below_incremental : lemma 
Below(k,p) (s) 

( -i trivial? (p) A Below(k-l , child(p, s'sq(s'ln) )) (s_t (k, s ,k-l) ) ) 

The inductive step for Theorem 1 is shown below. It reduces after expanding the definition of Apply 
in the w+1 part of the logical equivalence. 

Apply (k,k-l) (N , f s) (w) (Next (k, ev) (N, f s) (Below(k,p) ) ) (s) 

Apply (k,k-l) (N , f s) (w+1) (Next (k, ev) (N,f s) (Below(k,p) ) ) (s) 

Theorem 2 below formalises Saturation’s correctness condition in PVS. The PVS proof of this 
theorem follows the pencil-and-paper proof in Section 2.3. 

Theorem 2 (Saturation’s Correctness). 38(1, f) = ^AQ l (^y' e (^)), where f is the value returned by 
Fire(l,e,q ) ’s call, and ft stands for 38(1, q) before calling Fire(l,e,q), for some event e such that 
l < Top(e). 

saturation_correctness : theorem 

V (l :upto (K) , e : {ev : event I l < Top (ev)} , N:next(l) , fs:(Kronecker?(l)(N), 
w.posnat , q:{u:OMDD I level (u) = l A saturated? (I ,u) (N, fs) (w)}) ) : 

Below(l , fire(l , e,N , fs ,w, q) ) = 

Apply (l) (N, fs) (w) (Next (l, e) (N,fs) (Below(l , q))) 

Proof. By induction on 1. 

(i.) Base case (1=0). If 1=0 then f ire (1 ,e,N,fs,w,q) = q (Axiom f ire_tr ivial). Below (0 , q) 
equals TSeq (the empty sequence), and Next(0,e) (N,fs) ({TSeq}) = {TSeq}. Because 
Apply (0) (N,f s) (w) ({TSeq}) = {TSeq}, the base case reduces trivially. 

level(q)=0 A 0 < Top(e) Areduced?(q) A 
Kronecker? (0)(N)(fs) A saturated? (0,q)(N,fs)(w) 

Below(0 ,f ire (0 , e ,N, f s ,w, q) ) = 

Apply (0) (N , f s) (w) (Next (0,e) (N,fs) (Below (0 , q) ) ) 

(ii.) Inductive step with f = fire(l+l,e,N,fs,w,q). 

1+1 < Top(e) A level(q)=l+l A reduced?(q) A 
Kronecker? (1+1) (N) (f s) A saturated? (1+1 , q) (N , fs) (w) A 
(V(ee : {ev : event I l<Top(ev)}, Ni:next(l), fsi : (Kronecker? (1) (Ni) ) , 
ww:nat, qq:{u:0MDD I level (u) =1 A saturated? (1 ,u) (Ni jfsx) (ww) }) : 

Below (1 , fire (1 , ee ,Nx , f sj , ww,qq) ) = 

Apply (1) (Ni ,f Si) (ww) (Next (1 , ee) (N x , f Sj) (Below(l , qq) ) ) ) 

=> 

Below (1+1 , f ) = Apply (1+1) (N , f s) (Next (l+l,e)(N,fs) (Below (1+1 , q) ) ) 

(ii.i) Let us suppose 1+1 < Bottom (e) . From axiom f ire_tr ivial, f = fire (1+1 , e,N,f s , 
w,q) = q. The proof is discharged from this, saturated? (1+1 ,q) (N,fs) (w) in the 
antecedent of the proof, and the assumption well_def ined. 

(ii.ii) Let us suppose 1+1 > Bottom(e). If trivial? (q) then level (q) = 0, which con- 
tradicts the hypothesis level (q) = 1+1. We hence assume -> trivial? (q) afterwards. 
From the axiom f ire_saturated and saturated? (l,f) (N,fs) (w) in the hypothe- 
sis of the proof, Below(l+l,f) = Apply! 1+1) (N,fs) (w) (Below(l+l,f)). Because 
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Below (1+1 , f ) = Apply (1+1 ,1) ( N, f s) (w) (Next (1+1 , e) (N , f s) (Below (1+1 , q) ) ) 1 , 
thenBelow(l+l ,f ) =Apply(l+l) (N,fs) (w) (Apply(l+1 ,r) (N,fs) (w) (Next( 1+1, 
e) (N,fs) (Below(l+l,q)))). Therefore, from Corollary Apply_corl in Section 3, 
Below (1+1 , f) = Apply (1+1) (N, f s) (Next (1+1 , e)(N,fs) (Below (1+1 , q) ) ) . 

□ 


4 Conclusion and Future Work 

Saturation is a high-performance non-trivial algorithm with an existing pencil-and-paper correctness 
proof. Conducting Saturation’s correctness proof in PVS allowed us to verify correct the existing 
pencil-and-paper proof. Additionally, the PVS type-checker ensures that all the definitions in Satu- 
ration are type-correct, and that details are not overlooked. The Kronecker consistency property of 
systems considered in Saturation allows a separation of concerns so that proof-constraints did not 
clutter the actual structural proofs we conducted. In this regard, Saturation's correctness proof out- 
lines a proof approach for an entire family of algorithms relying on structural properties. However, 
there is still a missing link. We proved the correctness of a model of Saturation. But, how do we 
know that Saturation’s implementation faithfully attests to this model? As future work, we will pur- 
sue research in generating Java or C code from the PVS formalisation of Saturation, in the spirit of 
C. Munoz and L. Lensink’s work in [11], and comparing this code with the existing implementation 
of Saturation in the SMART formal analysis tool. 

The full formalisation of Saturation in PVS consists of 7 theories, 10 lemmas, 7 corollaries, 2 
main theorems, and 107 Type-Correctness Conditions (TCCs). The full formalisation can be reached 
at http : //www .uma.pt/ncatano/ sat correctness/ saturation-proof s .htm. Our formalisa- 
tion is purely functional, e.g., we do not formalise memory, or memory operations. 

Future Work. In [11], Munoz and Lensink present a prototype code generator for PVS which 
translates a subset of PVS functional specifications into the Why language [8] then to Java code 
annotated with JML specifications [3, 4], However, the code generator is still a proof of concept 
so that many of its features have to be improved. We will pursue research in that direction so as 
to generate Java certified code from the PVS formalisation of Saturation, and compare this with the 
existing implementation of Saturation in the SMART formal analysis tool. 

In a complementary direction, our PVS formalisation of Saturation can be ported into B [1], 
Then, using refinement calculus techniques [9, 10], e.g., implemented in the AtelierB tool [2], code 
implementing Saturation can be generated. This code is ensured to comply with the original formali- 
sation of Saturation. A predicate calculus definition would require that axiomatisation for the routine 
for firing events (Section 3) is replaced by a more definitional style of modelling. 
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